What in the world is this URL?

Okay, my roomaates and I share this computer. One of them is an avid viewer of pornography. He was using the comp the other day, and now, in front of every URL is the URL below: **Not work safe, it takes you to a Russian pornography site, and is written in cerillic(sp?).**

h..p://www.sexyque.com/cgi-bin/proliv/proliv.cgi?

and then the URL. I have downloaded and used AdAware and Spyblaster, and it wont get rid of the prefix URL. What do I need to do to get rid of this, as it redirects at random to XXX sites, and I dont like that, and neither does the gf. PLease help me!!! Thanks in advance for any suggestions.

Fergie

- disabled the link - LWM

 

This is the log. HTH

Fergie

PS- Thanks for putting the post in the right spot.

 

Hi,
I'll let the HijackThis-experts further look at your log.
But a quick reply: that sexyque site is listed in the IE-SPYAD list that puts it in the restricted zone of IE.
But that is of later concern, now you must get rid of all the nasties.....

 

Here is the new log. Thanks

 

Close all windows except for HijackThis, check the following items, and then press "Fix checked" button.


O1 - Hosts: 66.159.20.28 worldsex.com
O1 - Hosts: 66.159.20.28 www.worldsex.com
O1 - Hosts: 66.159.20.29 thehun.net
O1 - Hosts: 66.159.20.29 www.thehun.net

Rebooting and running another HijackThis report will tell us if any of these are going to regenerate because of other hijacks not fixed.

 

Close all windows except for HijackThis, check the following items, and then press "Fix checked" button.

O4 - HKCU\..\Run: [Utopia Angel] C:\UTOPIA\ANGEL\ANGEL.EXE

Rebooting and running another HijackThis report will tell us if any of these are going to regenerate because of other hijacks not fixed.

 

Close all windows except for HijackThis, check the following items, and then press "Fix checked" button.


O2 - BHO: (no name) - {66993893-61B8-47DC-B10D-21E0C86DD9C8} - C:\WINDOWS\SYSTEM\IEHELPER.DLL

Rebooting and running another HijackThis report will tell us if any of these are going to regenerate because of other hijacks not fixed.

PS:
Info at:
http://www.spywareinfoforum.com/bhos/archives/000170.php
Quote:
X {66993893-61B8-47DC-B10D-21E0C86DD9C8}: iehelper.dll - LinkReplacer
Further info:
http://www.doxdesk.com/parasite/LinkReplacer.html

 

Hi Fergie,

Are you using:
1. firewall
2. Antivirus program (AV)
3. AntiTrojan program (AT) ?

What AV are you using?
Would you please update your AV with its latest definitions, and then do a full system scan with it, as deep as possible.

I'm a little bit worried about that angel.exe file.
Let's do, after you did all the mentioned HijackThis fixes, first a full system scan with your AV.
Let us know how it goes, please.

Regards, Jan.

 

Norton antivirus, and no AT. Dont know what that is even. Angel is from a game...that I no longer play. Any suggestions as to what AT and new AV to run would be appreciated.

The weird URL no longer appears, and none regenerate themselves. Thanks for all the help.

Fergie

 

Good job, guys.

There is one more that is worrying me:
O18 - Protocol hijack: http - {66993893-61B8-47DC-B10D-21E0C86DD9C8}

It has the same CLSID as the BHO and I think that is too much to be a coincidence.

Have HijackThis fix that one as well.

As fo AT and AV's have a look here: http://www.wilders.org/ and follow the links from there.

Regards,

Pieter

 

Thanks Pieter
I'm trying to learn it a little bit from you

 

Oops,

This one is bad news too:
O4 - HKLM\..\Run: [MoviePlace] "C:\Program Files\MoviePlace\MoviePlace.exe" /H

http://research.pestpatrol.com/PestInfo/Pest_Detail.asp?id=453060662

 

One final tip to help you prevent reinfection: close all windows, including HijackThis, but not the one overlooking the street. Throw your roommate out of it.

 

CO,

Hehe ! That's funny !!

Hopefully, with no FireWall, the Roomate will pass right through !!

Thanks for the chuckle !!

regards,
bill